A significant security vulnerability has emerged in Gogs, an open-source self-hosted Git service, allowing authenticated users to execute arbitrary code under specific conditions. This flaw, rated 9.4 on the CVSS scale, has not yet been assigned a Common Vulnerabilities and Exposures (CVE) identifier, raising concerns about its oversight in the cybersecurity landscape.
According to security researcher Jonah Burgess from Rapid7, the vulnerability occurs when an authenticated user creates a pull request with a malicious branch name. This action injects the –exec flag into the git rebase command during the ‘Rebase before merging’ operation, potentially enabling remote code execution (RCE) on the server.
The rebase operation in Git allows users to integrate changes from a feature branch onto a base branch, resulting in a linear project history. While similar to merging, rebase rewrites commit history by creating new commits, introducing a level of complexity that the vulnerability exploits. Notably, this flaw does not require administrative privileges or interaction with other users, as an unauthenticated attacker only needs to create an account and repository on a default-configured Gogs instance.
In essence, any registered user can automatically own a new repository, and with the right settings enabled, the entire exploit can be executed independently. If a user with write access to a repository where rebase is activated wishes to exploit this flaw, they can do so directly, granting them code execution capabilities. This could lead to severe implications for any server compromised, including unauthorized access to repositories and sensitive credentials.
As of the current reporting, the vulnerability remains unpatched despite being disclosed to Gogs maintainers earlier this year. The risk of exploitation can extend beyond individual instances, posing a potential cross-tenant data breach risk, enabling unauthorized access to private repositories housed on shared servers. Upon investigation, Rapid7 has indicated that this vulnerability could affect all major operating systems, including Windows, Linux, and macOS.
The cybersecurity community estimates that there are approximately 1,141 internet-facing Gogs instances; however, the total could be significantly higher, given many deployments exist behind Virtual Private Networks (VPNs) or within internal networks. Without a patch, organizations are urged to implement various mitigations, including restricting user registrations and repository creation to limit potential attack vectors.
In addition to standard recommendations, Rapid7 has provided a Metasploit module capable of automating the exploitation against targeted systems. This module can operate in two primary modes: creating a temporary repository under the attacker’s account or exploiting an existing repository where the attacker already possesses write access. The implications of this vulnerability present a clear target for leveraging initial access and privilege escalation tactics as delineated by the MITRE ATT&CK framework.
Finally, Gogs has announced the release of a patch in version 0.14.3, which became available on June 7, 2026. Organizations utilizing Gogs are strongly advised to update their instances promptly to mitigate the exploit risks associated with this critical vulnerability.